Tuesday, 15 February 2022

Why should SMEs care about state-sponsored cybercrime?

Recently, the UK’s NCSC joined 3 American institutions in warning western organisations to be aware of state-sponsored cyber crime. But why should SMEs care?

At the end of January, the UK’s National Cyber Security Centre joined three American institutions in taking the unusual step of warning western organisations to be aware and prepared for ransomware and other malicious activities by state-sponsored cyber criminals.

While the step to warn organisations about serious state-sponsored cyber threats from Russia and China was unusual, for most small and mid-size business owners the news was little more than a talking point – if that.

For many organisations the warning wasn’t even on their radar.

Even for those who paid attention might well ask: why should we care? What could the Russian state possibly want with us? Why on earth would Chinese-backed cyber criminals want to get onto our network?

State-sponsored cyber crime

According to the UK Government’s cyber strategy report, ransomware became the most significant cyber threat facing the UK in 2021. Furthermore, is says, the most consistent of these threats emanated from Russia and China.

The report highlights the devastating attack on Hackney Council in October 2020. It suffered a ransomware attack at a critical time in dealing with the pandemic which caused many months of disruption and cost millions of pounds. The council was locked out of important data and important services were disrupted, including council tax and benefit payments.

The report also attributes the December 2020 SolarWinds cyber-attack, one of the most serious cyber intrusions of recent times, to the Russian Foreign Intelligence Service (SVR). And it says that the March 2021 attack on Microsoft Exchange servers was carried out by Chinese state-backed actors.

In response, the NCSC is working with US partners – the FBI, the Cybersecurity and Infrastructure Agency and the National Security Agency (NSA) – to promote understanding of state-sponsored cyber threats.

Government advice

The most recent NCSC advice(1) is particularly aimed at critical infrastructure providers. They should, the NCSC says, take immediate steps to strengthen their cyber security posture. However, every organisation should take the opportunity to read the published advice and understand the threat. The advisory(2) provides an overview of Russian state-sponsored cyber operations. This included commonly observed tactics, techniques and procedures (TTPs). It also offers advice on detection actions, incident response guidance and mitigations.

In particular it recommends:

• Patch all systems

• Prioritise the patching of vulnerabilities that are known to have been exploited

• Implement multi-factor authentication

• Use anti-virus software

The advice also warns about spear phishing and brute force tactics. It reports that these tactics have been used successfully by Russian state-backed actors in the past.

Cyber-attacks this year

The importance of following this advice was highlighted in early February this year(3), when two German fuel and oil distributors announced that they had fallen victim to a cyber-attack which had disrupted their operations.

Although critical infrastructure operations are high-priority targets, the attacks aren’t limited to infrastructure organisations. Public sector services are also at significant risk. Further, any organisation in the supply chain of a high-priority target is at risk, as cyber attackers look for vulnerable ways into their targets’ systems.

Plus, as the 2021 Microsoft Exchange server attack demonstrated, organisations can be imperilled simply because they are using the same software or operating systems as target organisations. We saw this back in May 2017 as well, when the WannaCry ransomware attack left many NHS trusts reeling, thanks to the exploitation of known vulnerabilities in outdated Windows operating systems.

This illustrates that your business doesn’t have to be a direct target to be affected by malicious cyber activity.

Cyber Essentials is changing

The UK Government is so concerned about these threats, that the NCSC has updated its Cyber Essentials scheme. The Cyber Essentials controls have been updated to reflect the heightened ransomware threat (as well as to address changes to the way we work that have been expedited during the pandemic).

It is the most significant change to the Cyber Essentials scheme since the scheme was launched in 2014.

Chris Ensor, NCSC Deputy Director for Cyber Skills and Growth(4), said, “The landscape in which organisations are operating in cyber space is constantly changing and this major refresh of the technical controls reflect the cyber security challenges of today. We’ve strengthened the Cyber Essentials scheme so that it continues to meet evolving threats and the increased risk of ransomware. I would encourage UK businesses of any size to take part in order to protect themselves from the most common attacks.”

Effective backups and recovery are the best protection against ransomware

In the face of the ransomware threat, it’s absolutely vital that organisations have good backup solutions in place. If a ransomware attack locks you out of your systems, it’s the only chance you have to restore operations without paying a ransom (and paying a ransom is no guarantee of being able to restore operations).

That said, your backup and recovery plan isn’t foolproof either.

In December 2020, the Scottish Environmental Protection Agency (SEPA) suffered a serious, complex and sophisticated cyber-attack. Vital data was encrypted, stolen or deleted overnight. Cyber criminals demanded a ransom if SEPA was to access its data again.

SEPA chose not to pay. Thanks to the good backup and recovery measures the organisation had in place, it was able to continue to operate.

However, last month the Auditor General for Scotland found that SEPA still doesn’t know the full financial implications of the cyber-attack. The report said, “SEPA’s backup policy was in line with best practice in that there were three copies of the data, located at two separate locations, with one copy stored offline. However, the sophisticated nature of the attack meant that the online backups were targeted and corrupted at an early stage, meaning there was no way of accessing historical records quickly.”

What next?

If you’d like to understand more about a successful backup and recovery strategy, you can find information on our blog.

Or, for personalised advice about what your organisation can do to mitigate and prepare for the threat, please reach out to our team on 0808 164 4142. Or book a call below:

Book a 15-minute chat  >>>


1. https://www.ncsc.gov.uk/news/ncsc-us-partners-promote-understanding-mitigation-russian-state-sponsored-cyber-threats

2. https://www.cisa.gov/uscert/ncas/alerts/aa22-011a

3. https://www.computing.co.uk/news/4044258/cyber-attack-german-oil-storage-distribution-firms-impacts-fuel-supplies

4. https://www.ncsc.gov.uk/news/new-look-cyber-essentials-scheme-supports-organisations-to-stay-ahead-of-the-cyber-threat-